Exlink

Lulo Solutions LLC

Data Processing Addendum (DPA)

Version 2.0 Last Updated: June 20, 2024

This Data Processing Addendum, originally published as a standalone document, has been superseded in its entirety by Section 17 (Data Protection Law — GDPR) and Section 18 (Data Protection Law — CCPA) of the Terms of Service, effective June 20, 2024. As of that date, this standalone Data Processing Addendum is no longer in effect and carries no independent legal force.

For the current and binding data processing provisions governing the Exlink platform, please refer to the Terms of Service, Sections 17 and 18.

Section 17: GDPR Data Protection

The Terms of Service, Section 17 addresses the following subject matter:

(a) Applicability. The scope of application to transactions involving citizens or residents of the European Union where personal data is transferred from the EU to the United States.

(b) Purpose Limitation. The restriction of data processing to the specific purpose or purposes of the transfer as set out in the Agreement.

(c) Security of Processing. The implementation of appropriate technical and organizational measures, including encryption and pseudonymization, to protect personal data during processing.

(d) Sub-Processor Management. The general authorization for sub-processors on an agreed list, with a minimum of seven (7) days advance notice prior to any changes to sub-processor arrangements.

(e) Data Subject Rights. The Company’s obligation to assist the Data Exporter in fulfilling data subject rights as provided under the General Data Protection Regulation.

(f) Breach Notification. The requirement to notify the Data Exporter without undue delay of any personal data breach, including the relevant details of the incident.

(g) Onward Transfers. The restriction on disclosure of personal data to third parties, permitted only pursuant to documented instructions and to parties bound by appropriate GDPR Clauses.

(h) Supervision. The designation of the Data Exporter’s EU member state supervisory authority as the competent authority for overseeing compliance with data protection obligations.

Section 18: CCPA Data Protection

As of the last update to the Terms of Service, Lulo Solutions and Exlink are not subject to either the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA). Should this determination change, the Terms of Service will be amended accordingly.

All questions regarding data processing practices should be directed to security@exlink.org.